b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                  Office of the Secretary\n\n\n       FY 2004 Independent Evaluation\n     Of the Department of Commerce\xe2\x80\x99s\n          Information Security Program\n Under the Federal Information Security\n           Management Act for FY 2004\n\n            Final Report No. OSE-16954/October 2004\n\n\n\n\n                             Office of Systems Evaluation\n\x0c\x0c\x0c\x0c       U.S. Department of Commerce                                                                                                                                                   Final Inspection Report OSE-16954\n       Office of Inspector General                                                                                                                                                                      October 6, 2004\nSection A: System Inventory and IT Security Performance\nNOTE: ALL of Section A should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n\n   A.1. By bureau (or major agency operating component), identify the total number of programs and systems in the agency and the total number of contractor operations or facilities. The agency CIOs\n   and IG\'s shall each identify the total number that they reviewed as part of this evaluation in FY04. NIST 800-26, is to be used as guidance for these reviews.\n\n\n\n\n   A.2. For each part of this question, identify actual performance in FY04 for the total number of systems by bureau (or major agency operating component) in the format provided below.\n\n\n                                                                      A.1                                                                                             A.2\n\n                                            A.1.a.                 A.1.b.                A.1.c.                   A.2.a.                  A.2.b.                 A.2.c.                      A.2.d.                 A.2.e.\n\n                                      FY04 Programs           FY04 Systems         FY04 Contractor          Number of                   Number of               Number of      Number of systems     Number of\n                                                                                    Operations or        systems certified            systems with          systems for which with a contingency systems for which\n                                                                                      Facilities          and accredited             security control        security controls        plan       contingency plans\n                                                                                                                                     costs integrated        have been tested                     have been tested\n                                                                                                                                    into the life cycle      and evaluated in\n                                                                                                                                      of the system            the last year\n\n\n\n                                       Total  Number          Total      Number   Total       Number      Total       Percent of     Total    Percent of     Total      Percent of     Total     Percent of     Total Percent of\n          Bureau Name                 Number Reviewed        Number     Reviewed Number      Reviewed    Number         Total       Number      Total       Number        Total       Number       Total       Number   Total\n   BEA                                                             2                                              2        100.0%         2        100.0%         2         100.0%           2        100.0%         2    100.0%\n   BIS                                                             1                                              0          0.0%         1        100.0%         1         100.0%           0          0.0%         0      0.0%\n   Census                                                1         2                                              0          0.0%         2        100.0%         2         100.0%           1         50.0%         0      0.0%\n   EDA                                                             1                                              0          0.0%         1        100.0%         1         100.0%           1        100.0%         0      0.0%\n   ESA                                                             1                                              0          0.0%         1        100.0%         1         100.0%           1        100.0%         0      0.0%\n   ITA\n   MBDA\n   NIST                                                  1         3                                              0         0.0%          3        100.0%         3         100.0%           3        100.0%         1     33.3%\n   NOAA                                                  1         8                                              0         0.0%          8        100.0%         8         100.0%           6         75.0%         0      0.0%\n   NTIA                                                            1                                              0                       1        100.0%         1         100.0%           0          0.0%         0      0.0%\n   NTIS                                                            1                                              0          0.0%         1        100.0%         1         100.0%           1        100.0%         0      0.0%\n   OS                                                    1         1                                              1        100.0%         1        100.0%         1         100.0%           1        100.0%         1    100.0%\n   TA\n   USPTO                                                 1          3                                             3        100.0%         3        100.0%         3         100.0%           2        66.7%          1       33.3%\nAgency Total                                             5        24                                              6         25.0%        24        100.0%        24         100.0%          18        75.0%          5       20.8%\n\nComments: (A.1.a.) Program reviews: 1. Census IT security program; 2. OS (Office of the Secretary)--Department-wide computer incident response capability; and 3. NIST, NOAA, and USPTO--selected aspects of IT\nsecurity program through discussion with agency CIO and senior IT security officials and limited documentation review.\n\n(A.2.a.), and (A.2.d.-A.2.e.) All 24 systems we reviewed have been certified and accredited and were identified by the bureaus as having contingency plans; 19 contingency plans were identified as tested. We did not count\nthese items in the above performance measures, however, when our review found deficiencies in their quality or completeness such that they do not meet the minimum standards contained in Departmental IT security policy o\nNIST SP 800-26. Our assessment of the number of systems certified and accredited and of contingency plans is based on our review of system C&A documentation and any other documentation provided by the bureaus, as\nwell as, in some cases, follow-up discussions with certifying officials and IT security officers. While Commerce has placed considerable emphasis on improving these areas in the past year and has made significant progress,\nadditional improvements are needed.\n\n\n\n                                                                                                              4\n\x0c     U.S. Department of Commerce                                                                                                                            Final Inspection Report OSE-16954\n     Office of Inspector General                                                                                                                                               October 6, 2004\n                                                                                                     A.3\n\n\n   A.3. Evaluate the degree to which the following statements reflect the status in your agency, by choosing from the responses provided in the drop down menu. If appropriate or necessary, include\n   comments in the Comment area provided below.\n\n                                                                Statement                                                                                         Evaluation\n\n        a. Agency program officials and the agency CIO have used appropriate methods to ensure that contractor provided services or\n        services provided by another agency for their program and systems are adequately secure and meet the requirements of                             Mostly, or 81-95% of the time\n        FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n        b. The reviews of programs, systems, and contractor operations or facilities, identified above, were conducted using the NIST\n                                                                                                                                                    Almost Always, or 96-100% of the time\n        self-assessment guide, 800-26.\n        c. In instances where the NIST self-assessment guide was not used to conduct reviews, the alternative methodology used\n                                                                                                                                                         Mostly, or 81-95% of the time\n        addressed all elements of the NIST guide.\n\n        d. The agency maintains an inventory of major IT systems and this inventory is updated at least annually.                                   Almost Always, or 96-100% of the time\n\n\n        e. The OIG was included in the development and verification of the agency\xe2\x80\x99s IT system inventory.                                                 Mostly, or 81-95% of the time\n\n\n        f. The OIG and the CIO agree on the total number of programs, systems, and contractor operations or facilities.                                Frequently, or 71-80% of the time\n\n        g. The agency CIO reviews and concurs with the major IT investment decisions of bureaus (or major operating components)\n                                                                                                                                                    Almost Always, or 96-100% of the time\n        within the agency.\n\n                                                                Statement                                                                                         Yes or No\n\n        h. The agency has begun to assess systems for e-authentication risk.                                                                                          Yes\n\n        i. The agency has appointed a senior agency information security officer that reports directly to the CIO.                                                    Yes\n\n\nComments: (A.3.a.) OIG evaluated this statement for Census, NIST, NOAA, and USPTO. For contractors and other government agencies identified by Census and USPTO as\nproviding services requiring review, reports on the results of the reviews were provided. NIST and NOAA indicated that they receive no services requiring review. We did not validate\nwhether all contractor- and other government agency-provided services needing review were identified.\n(A.3.d.) Although an inventory of major IT systems is maintained and updated semiannually, our review of security plans found that identification of interfaces between other systems and\nnetworks is incomplete.\n(A.3.e.) The CIO\'s office seeks our input in developing and updating policy and guidance for inventory management, provides a copy of the most current inventory, and keeps us\napprised of its efforts to validate the inventory. However, OIG has not independently validated the inventory.\n(A.3.f.) The numbers appear generally to be accurate. We have concerns, however, about whether all contractor operations or facilities have been identified.\n\n(A.3.i.)                                                                   For supervisory purposes, she reports through the Director, Office of IT Security, Infrastructure, and Technology to the\n         The senior IT security officer has direct access to the CIO.\nCIO.\n\n\n\n\n                                                                                                      5\n\x0cSection B: Identification of Significant Deficiencies\n   U.S. Department of Commerce                                                                                                                                      Final Inspection Report OSE-16954\nNOTE:   ALL\n   Office     of Section\n          of Inspector   B should be completed by BOTH the Agency CIO and the OIG.\n                       General                                                                                                                                                         October 6, 2004\nTo enter data in allowed fields, use password: fisma\n\n\n    B.1. By bureau, identify all FY 04 significant deficiencies in policies, procedures, or practices required to be reported under existing law. Describe each on a separate row,\n    and identify which are repeated from FY03. In addition, for each significant deficiency, indicate whether a POA&M has been developed. Insert rows as needed.\n\n\n                                                                                               B.1.\n                                                                                                          FY04 Significant Deficiencies\n                                                                Total Number                                                                                                        POA&M\n                                                    Total         Repeated                                                                                                        developed?\n               Bureau Name                         Number        from FY03                         Identify and Describe Each Significant Deficiency                               Yes or No\n    BIS                                                *\n    Census                                             *\n    EDA                                                *\n    ESA                                                *\n    NIST                                               *\n    NOAA                                               *\n    NTIA                                               *\n    NTIS                                               *\n\n\n\nAgency Total                                           1               1                           Deficiencies in system certification and accreditation.                             Yes\n\n\nComments: * We reviewed a random sample of Commerce\'s certification and accreditation (C&A) packages for 24 certified and accredited national-critical and mission-critical systems.\nC&A packages were selected from all bureaus that have national-critical and/or mission-critical systems: BEA, BIS, Census, EDA, ESA, NIST, NOAA, NTIA, NTIS, OS, and USPTO. Our\nsample included 50% of the Department\'s 16 unclassified national-critical systems and 7% of its 231 unclassified mission-critical systems (based on Commerce\'s July 2004 system\ninventory). With the exception of BEA and OS\'s C&A packages, our review continued to identify significant deficiencies. Serious weaknesses were identified in all national-critical systems,\nwith the exception of BEA\'s. (Census, NIST, and NOAA also have national-critical systems.) Our response to Question C.2 provides specific information about the deficiencies. POA&MS\nare developed for the deficiencies OIG identifies and about which we make formal recommendations in evaluation reports. However, while POA&MS address some deficiencies identified by\nthe bureaus in conducting C&A, the bureaus have generally not identified the weaknesses we found and thus many are not yet documented in POA&Ms.\nAlthough Commerce continued to have significant C&A deficiencies in FY 2004, as noted previously, progress has been made, and the Department\'s CIO and Commerce bureaus are\ncontinuing to invest a substantial effort and resources in improving this critical area.\n\nAs a performance-based organization, USPTO submits its Performance and Accountability Report separate from that of the Department. Therefore, we address USPTO\'s C&A process\nseparately. In last year\'s FISMA evaluation, we noted that USPTO was employing a disciplined certification and accreditation process that included rigorous testing of security controls. But\nbecause of the security weaknesses being identified by the certification process and the lack of final accreditations for all but one of its mission-critical systems, we advised USPTO to report\ninformation security as a material weakness for FY 2003, and USPTO did so. USPTO completed certification and accreditation of all of its mission-critical systems this fiscal year,\nmaintaining its disciplined C&A process for the systems we reviewed. In our judgment, USPTO has resolved the material weakness.\n\n\n\n\n                                                                                                      6\n\x0cU.S. Department of Commerce                                                                                                                           Final Inspection Report OSE-16954\nOffice of Inspector General                                                                                                                                              October 6, 2004\n\n     Section C: OIG Assessment of the POA&M Process\n     NOTE: Section C should *ONLY* be completed by the OIG. The CIO should leave this section blank.\n     To enter data in allowed fields, use password: fisma\n\n           C.1. Through this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency-wide plan of\n           action and milestone (POA&M) process. This question is for IGs only. Evaluate the degree to which the following statements reflect the status in your agency by\n           choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the Comment area provided below.\n\n                                                                                           C.1\n                                                         Statement                                                                               Evaluation\n\n                a. Known IT security weaknesses, from all components, are incorporated into the POA&M.                       Sometimes, or 51-70% of the time\n\n                b. Program officials develop, implement, and manage POA&Ms for systems they own and\n                                                                                                                             Almost Always, or 96-100% of the time\n                operate (systems that support their program or programs) that have an IT security weakness.\n\n                c. Program officials report to the CIO on a regular basis (at least quarterly) on their remediation\n                                                                                                                             Almost Always, or 96-100% of the time\n                progress.\n\n                d. CIO develops, implements, and manages POA&Ms for every system they own and operate (a\n                                                                                                                             Almost Always, or 96-100% of the time\n                system that supports their program or programs) that has an IT security weakness.\n\n                e. CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.              Almost Always, or 96-100% of the time\n\n                f. The POA&M is the authoritative agency and IG management tool to identify and monitor agency\n                                                                                                                             Rarely, or 0-50% of the time\n                actions for correcting information and IT security weaknesses.\n                g. System-level POA&Ms are tied directly to the system budget request through the IT business\n                                                                                                                             Almost Always, or 96-100% of the time\n                case as required in OMB budget guidance (Circular A-11).\n\n                h. OIG has access to POA&Ms as requested.                                                                    Almost Always, or 96-100% of the time\n\n                i. OIG findings are incorporated into the POA&M process.                                                     Almost Always, or 96-100% of the time\n\n                j. POA&M process prioritizes IT security weaknesses to help ensure that significant IT security\n                                                                                                                             Almost Always, or 96-100% of the time\n                weaknesses are addressed in a timely manner and receive appropriate resources.\n     Wea\n\n     Comments: (C.1.a.) All weaknesses known to the Department are reported on POA&Ms. However, for the systems we reviewed, we found that IT security weaknesses identified in\n     C&A materials were frequently not included in system or bureau POA&Ms or documented as residual risks accepted by the accrediting official. Weaknesses identified in self\n     assessments usually are documented on POA&Ms, but bureau self assessments generally do not adequately identify weaknesses.\n\n     (C.1.b. and C.1.d.) Program officials and CIOs develop, implement, and manage POA&Ms when IT security weaknesses have been identified and brought to their attention. As\n     noted in our comment on C.1.a., weaknesses identified in C&A materials were not always included in POA&Ms or documented as residual risks accepted by the accrediting official\n     for the systems we reviewed.\n     (C.1.f.) The POA&M is authoritative for the Department. However, because we have found the C&A process and bureau self assessments generally do not adequately identify\n     weaknesses and weaknesses identified in C&A documentation are not always recorded in POA&Ms, OIG places greater reliance on our own independent reviews for identifying\n     weaknesses.\n\n\n                                                                                            7\n\x0c  U.S. Department of Commerce                                                                                                      Final Inspection Report OSE-16954\n  Office of Inspector General                                                                                                                         October 6, 2004\n\n\n\n\n  C.2 OIG Assessment of the Certification and Accreditation Process\n  Section C should only be completed by the OIG. OMB is requesting IGs to assess the agency\xe2\x80\x99s certification and accreditation process in order\n  to provide a qualitative assessment of this critical activity. This assessment should consider the quality of the Agency\xe2\x80\x99s certification and\n  accreditation process. Any new certification and accreditation work initiated after completion of NIST Special Publication 800-37 should be\n  consistent with NIST Special Publication 800-37. This includes use of the FIPS 199, \xe2\x80\x9cStandards for Security Categorization of Federal\n  Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\n  risk assessments and security plans. Earlier NIST guidance is applicable to any certification and accreditation work completed or initiated\n  before finalization of NIST Special Publication 800-37. Agencies were not expected to use NIST Special Publication 800-37 as guidance\n  before it became final.\n\n\n                                                Statement                                                                  Evaluation\nComments: The Department\'s policy and guidance generally serve as a sufficient basis for an effective\nC&A process, although requirements for testing must be clarified. However, our in-depth review of a\nrandom sample of C&A packages for 21 national- and mission-critical systems throughout the Department\nfound significant weaknesses. Of the 21 packages we reviewed, (1) 10 had risk assessments that did not\nprovide a sufficient identification of threats, vulnerabilities, and risks; (2) 8 had security plans that did not\nadequately describe the system environment, interconnections, and/or sensitivity; (3) 18 did not provide\nevidence that certification assessment and testing were adequate to ensure that security controls were\nimplemented correctly and operating as intended; (4) 5 did not have contingency plans that were complete\nand provided adequate recovery procedures; (5) 12 did not have evidence of contingency testing; and (6)\n15 did not document all weaknesses identified through C&A in POA&Ms.\n                                                                                                                    Poor\n\n\n\n\nComments:\n               Our review of 3 USPTO C&A packages found that USPTO\'s C&A process\ngenerally provides adequate assurance that security controls are appropriate, implemented\ncorrectly, and performing as intended. A particularly effective aspect of USPTO\'s process is the\n                                                                                                                    Good\nuse of certification testing and risk assessment to identify and correct IT security weaknesses.\nUSPTO still needs to ensure that all system components are identified and tested and that all\nsystems have contingency plans and these plans are tested.\n\n\n\n\n                                                                                                 8\n\x0c      U.S. Department of Commerce                                                                                                                                                                Final Inspection Report OSE-16954\n      Office of Inspector General                                                                                                                                                                                   October 6, 2004\n\n\nSection D\nNOTE: ALL of Section D should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   D.1. First, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E. For D.1.a-f, identify whether agencywide security configuration requirements address each listed\n   application or operating system (Yes, No, or Not Applicable), and then evaluate the degree to which these configurations are implemented on applicable systems.For example: If your agency\n   has a total of 200 systems, and 100 of those systems are running Windows 2000, the universe for evaluation of degree would be 100 systems. If 61 of those 100 systems follow configuration\n   requirement policies, and the configuration controls are implemented, the answer would reflect "yes" and "51-70%". If appropriate or necessary, include comments in the Comment area\n   provided below.\n\n\n   D.2. Answer Yes or No, and then evaluate the degree to which the configuration requirements address the patching of security vulnerabilities. If appropriate or necessary, include comments in\n   the Comment area provided below.\n\n                                                                          D.1. & D.2.                                          D.1.                             D.2.\n\n                                                                                                                               Yes,\n                                                                                                                              No, or\n                                                                                                                               N/A                          Evaluation\nD.1. Has the CIO implemented agencywide policies that require detailed specific security configurations and what is the\ndegree by which the configurations are implemented?\n                                                                                                                               No                                                                       N/A\n                a. Windows XP Professional\n                b. Windows NT\n\n                c. Windows 2000 Professional\n\n                d. Windows 2000\n\n                e. Windows 2000 Server\n\n                f. Windows 2003 Server\n                g. Solaris\n                h. HP-UX\n                i. Linux\n                j. Cisco Router IOS\n                k. Oracle\n                l. Other. Specify:\n                                                                                                                              Yes or\n                                                                                                                                                            Evaluation\n                                                                                                                               No\n\n        D.2. Do the configuration requirements implemented above in D.1.a-f., address patching of security vulnerabilities?\n\n\nComments: The Department\'s information security policy requires configuration management (CM) of all general support systems and major applications, including a\ndescription in system security plans of how CM is to be implemented on each system. Also, the policy recommends that employees consult various sources for information on\nsecure operating system configurations such as the Department of Defense\'s Security Technical Implementation Guides. In July 2004, the Department subscribed to the\nDefense Information System Agency\'s Gold Disk configuration and patch management service, which provides products that automate the remediation of configuration\nvulnerabilities and aid in establishing and maintaining configurations. Bureaus may use these products at their discretion. However, the CIO has not yet implemented\nagencywide policies that require detailed, specific security configurations.\n\nOur review of Census, NIST, NOAA, and USPTO found that NIST, NOAA, and USPTO have configuration requirements, which address patching of security vulnerabilities.\nHowever, we have not evaluated whether these units have developed configuration requirements for all operating systems and applications that need them, nor have we\nassessed the extent to which the configurations have been implemented.\n\n\n\n\n                                                                                                                          9\n\x0c    U.S. Department of Commerce                                                                                                                        Final Inspection Report OSE-16954\n    Office of Inspector General                                                                                                                                           October 6, 2004\n\n\n\nSection E: Incident Detection and Handling Procedures\nNOTE: ALL of Section E should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   E.1. Evaluate the degree to which the following statements reflect the status at your agency. If appropriate or necessary, include comments in the Comment area provided\n   below.\n\n                                                                                          E.1\n\n                                                          Statement                                                                                    Evaluation\n\n\n                 a. The agency follows documented policies and procedures for reporting incidents internally.                         Rarely, or 0-50% of the time\n\n                 b. The agency follows documented policies and procedures for external reporting to law enforcement\n                                                                                                                                      Rarely, or 0-50% of the time\n                 authorities.\n                 c. The agency follows defined procedures for reporting to the United States Computer Emergency Readiness\n                                                                                                                                      Rarely, or 0-50% of the time\n                 Team (US-CERT). http://www.us-cert.gov\n                                                                                          E.2.\n   E.2. Incident Detection Capabilities.\n                                                                                                                                          Number of    Percentage of Total\n                                                                                                                                           Systems          Systems\n                         a. How many systems underwent vulnerability scans and penetration tests in FY04?\n                                                                                                                                             19                83%\n                         b. Specifically, what tools, techniques, technologies, etc., does the agency use to mitigate IT security risk?\n                                  Answer:\n                                     IT security policies, user authentication, awareness and specialized training, limited use of insecure protocols and implementing SSH, SSL,\n                                     role-based access, applying ACLs to routers and file systems, firewalls, host- and network-based IDS sensors, encrypted network\n                                     communication links and sessions, anti-virus protection, VPNs, and PKI.\n\n\n\nComments: ( E.1.a. & c.) Our evaluation of the Department\'s computer incident response capability found that bureau incident response reporting was incomplete\nand inconsistent, with detected incidents frequently not reported. In responding to our evaluation, the Department CIO stated that policies and procedures will be\nrevised to provide for prompt reporting, and bureau compliance will be reviewed. We note that the Department also identified the need to improve incident response\npolicies and procedures and documented this weakness in its POA&M in FY2004.\n\n(E.1.b.) Few compromises were reported to OIG\'s Office of Investigations, and the Department\'s FISMA reporting shows that few were reported to law enforcement.\n\n(E.2.a.) Response based on 23 systems; one of the 24 systems was a major application running on a different general support system that was not included in our\nsample.\n(E.2.b.) Response based on our review of 24 systems.\n\n\n\n\n                                                                                                 10\n\x0c    U.S. Department of Commerce                                                                                                                     Final Inspection Report OSE-16954\n    Office of Inspector General                                                                                                                                        October 6, 2004\n\n\n\nSection F: Incident Reporting and Analysis\nNOTE: ALL of Section F should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n   F.1. For each category of incident listed: identify the total number of successful incidents in FY04, the number of incidents reported to US-CERT, and the\n   number reported to law enforcement. If your agency considers another category of incident type to be high priority, include this information in category VII,\n   "Other". If appropriate or necessary, include comments in the Comment area provided below\n   F.2. Identify the number of systems affected by each category of incident in FY04. If appropriate or necessary, include comments in the Comment area\n   provided below.\n                                                                          F.1., F.2. & F.3.\n                                                                                   F.1.                                               F.2.\n                                                                     Number of Incidents, by category:             Number of systems affected, by category, on:\n\n\n\n                                                                    F.1.a          F.1.b.         F.1.c.         F.2.a.          F.2.b.            F.2.c.\n                                                                 Reported      Reported to US- Reported to  Systems with Systems without        How many\n                                                                 internally        CERT            law     complete and up- complete and up-    successful\n                                                                                               enforcement   to-date C&A      to-date C&A incidents occurred\n                                                                                                                                                 for known\n                                                                                                                                             vulnerabilities for\n                                                                                                                                             which a patch was\n                                                                                                                                                 available?\n\n\n\n                                                                                                                  Number of        Number of          Number of\n                                                                Number of        Number of         Number of       Systems          Systems            Systems\n                                                                Incidents        Incidents         Incidents       Affected         Affected           Affected\n    I. Root Compromise\n    II. User Compromise\n    III. Denial of Service Attack\n    IV. Website Defacement\n    V. Detection of Malicious Logic\n    VI. Successful Virus/worm Introduction\n    VII. Other\n                                                     Totals:         *                 *               *               *                *                  *\n\nComments: * At the time of our evaluation, incidents were not categorized in this way. However, our review of the Department\'s computer incident\nresponse capability found that most bureaus identify few incidents, and noted this was a consequence, in part, of poor incident detection techniques.\nWe found that system administrators and IT security officers need to improve their intrusion detection approaches and obtain additional specialized\ntools and training. In responding to our evaluation, the Department CIO identified actions that will be taken to address these issues including (1)\nimproving the IT security policy and procedures for reviewing network log device information, (2) obtaining automated tools, and (3) providing training\nto IT security personnel.\n\n\n\n\n                                                                                              11\n\x0c U.S. Department of Commerce                                                                                                                      Final Inspection Report OSE-16954\n Office of Inspector General                                                                                                                                         October 6, 2004\n\n\n\nSection G: Training\nNOTE: ALL of Section G should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   G.1. Has the agency CIO ensured security training and awareness of all employees, including contractors and those employees with significant IT security\n   responsibilities? If appropriate or necessary, include comments in the Comment area provided below.\n                                                                                    G.1.\n    G.1.a.                   G.1.b.                    G.1.c.                      G.1.d.                              G.1.e.                        G.1.f.\n\nTotal number of Employees that received IT Total number of Employees with significant                     Briefly describe training provided     Total costs for\n employees in security awareness training employees with security responsibilities that                                                           providing IT\n     FY04        in FY04, as described in   significant IT received specialized training,                                                      security training in\n                 NIST Special Publication      security     as described in NIST Special                                                              FY04\n                         800-50            responsibilities Publications 800-50 and 800-                                                            (in $\'s)\n                                                                         16\n\n\n\n\n                    Number        Percentage                            Number         Percentage\n\n\n                                                                                                     Commerce Learning Management System\n     9680             9360            96.7%             948                 584             61.6%    (Karta) and other commercial training         $505,659\n                                                                                                     sources.\n                                                                                     G.2.\n                                                                                  Yes or No\n   a. Does the agency explain policies regarding peer-to-peer\n   file sharing in IT security awareness training, ethics training,                 Yes\n   or any other agency wide training?\n                                                                      Yes             No\nComments: (G.1.a--G.1.b) Responses are based on evidence from a sample of operating units within Census, NIST, and NOAA, and all units of\nUSPTO. We obtained data bases identifying awareness training taken by employees, but did not validate whether the total number of employees\nidentified as needing training was correct.\n\n(G.1.c--G1.d) Responses are based on evidence from all of Census, NIST, USPTO, and one unit of NOAA. We obtained data bases identifying\nspecialized training taken by employees, but did not validate whether the total number of employees with significant IT security responsibilities\nwas correct.\n(G.2) Department awareness training explains peer-to-peer file sharing; however, not all of the awareness training provided by the Department\'s\nbureaus address this topic.\n\n\n\n\n                                                                                                12\n\x0c'